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® Electronic transaction system. 



® An electronic transaction in which in order to 
improve a reliability of message certification by digi- 
tal signature and enable the use of the digital signa- 
ture in a fonnal transaction in place of conventional 
signature or seal, the following procedures are im- 
plemented utilizing the fact that, in a public key 
2* cryptograph system represented by an RSA system, 
^ a first encoded message derived by encoding a first 
O) decoded message by using a public key of a first 
O transacting party is equal to a second encoded mes- 
»sage derived by encoding a second decoded mes- 
^sage by using a public key of a second transacting 
party: a) Check sender/receiver; b) Add content cer- 
^tification function c) Double check the person by the 
O possession of a secret key and the response by a 
l^tenminal: d) Add a time limit to an effective period of 
Ujan electronic seal; e) Add a grace period to ttie 
electronic seal; and f) Send back a tally impression 
from the receiver t the send r. 
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ELECTRONIC TRANSACTION SYSTEM 



BACKGROUND OF THE INVENTION 

The present invention relates to an electronic 
transaction and more particularly to an electronic 
transaction system which electronicaily effects 
commercial transactions by computer documents 
Instead of conventionai documents. 

In the past, contracts are authenticated or vali- 
dated by signatures or seals. Where data are trans- 
mitted ttirough a communication like electronic 
transaction Ijetween two parties having interests to 
each other, even if the signature and seal data are 
converted to digitaJ signals for transmission, they 
may t>e easily copied and hence they cannot be 
used for authenticity. Accordingly, the authenticity 
of the message by digital signature which* cor- 
responds to the normal signature and seal is re- 
quired. In order for the message authenticity to be 
effective as formal transaction in place of the signa- 
ture or seal, the following four conditions should t^e 
met 

<a> Only the transmitter can prepare a signed 
message such as a contract It cannot be forged by 
a third person. 

(b) The receiver cannot alter the signed 
message. 

(c) The transmitter cannot later deny the fact 
of transmission. 

(d) The receiver cannot later deny the fact of 
reception. 

The following mettiods have boon proposed to 
achieve the digital signature. 

(1) Digital signature which uses conventional 
cryptograph 

(2) Digital signature which uses public key 
cryptograph 

(3) Digital signature by hybrid system 
Characteristics and problems of those three 

methods are described below. 



(1) Digital signature which uses conventional 
crystograph 

Many digital signature methods which use the 
DES (data encryption standard) system crypto- 
graph have been proposed but notarization is re- 
quired or the receiver can alter the signed mes- 
sage because the transmitting station and the re- 
ceiving station have a common authenticity key. 
Accordingly, no practical signature system has 
t)een known. 



(2) Digital signature which us^s public key cryp- 
tograph 

The digital signature can t>e relatively easily 
5 attained by using the public key cryptograph sys- 
tem represented by an RSA (Rlvest-Shamir-Ald- 
leman) algorithm. 

Rg. 1 shows a chart of a prior art digital 
signature by the public key cryptograph. 
10 In a step 101, a message M from a sender A is 

inputted. 

In a step 102, a decoded message D (M. SKa) 
is produced by decoding (deciphering) the mes- 
sage M by a secret key SKa of the sender A. 
75 In a step 103. the decoded message D (M. 

SKa) Is further encoded (enciphered) by a public 
key PKb of a receiver B to produce a cryptograph 
message L « E (D (M, SKa), PKa). which is sent to 
the receiver B. 'v-j^^^^^i.J^ 
20 In a step 104. the data L is received by the 

receiver B is decoded by the secret key SKb of the 
receiver B to produce D (M. SKa). 

In a step 105, the decoded message D (M. 
SKa) is endoded by the public key PKa of the 
25 sender A to produce the original message M. 

In a step 106, the message M is supplied to 
the receiver B as an output data. 

In the present ftow chart the cryptograph mes- 
sage M carmt be decoded in the step 104 unless 
30 Ihe secret key SKa is known. Only the receiver B 
knows SKe. In the step 102; only the sender A wtw 
knows the secret key SKa can produce D (M, SKa). 
Accordingly, it is assumed that it is A that has sent 
the message M and it is B that has received the 
35 message. 

When the message M is not a conventionai 
sentence but random data, it is difficult to deter- 
mirie whettw M is proper or not As an approach 
thereto, an kJentifier of tiie sender, and identifier of 
40 the receiver, a serial numljer of the message and a 
date may be sent together with the message. In 
this case, an unauthorized act such as copying the 
signed message for repetitive transmission is pre- 
vented. 

46 However, in the RSA system, the encoding and 

decoding time is lor^ t)ecause of complex opera- 
tion and a time-consuming problem will arise when 
the message is long. 

50 

(3) Digital signature by hybrid system 

This system utilizes th advarrtages of the DES 
cryptograph system and the RSA cryptograph sys- 
tem In a well-mixed manner. 

2 
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In this system, the conventional (ordinary) mes- 
sage is sent by the DES cryptograph communica- 
tion and the transmission of the key and the au- 
thenticity .utilize the RSA system. The message to 
be authenticated (validated) is first compression- 
decoded by the DES system to determine Hash 
Total. Rg. 2A shows a process therefor. In Hg. 2- 
(a), the following steps are carried out 



Step 1: 

Rrst 64 bits of an input message I are defined 
as I,. The U is encoded by an encoder 21 by using 
a cryptograph key K. The encoded result is defined 

as O,. . 

Ek (1.) - O. 

The 64 bits of an input message subsequent to first 
64(i-1) bits are defined as If. 



Step 2: 

Next 64 bits of the input message which follow 
to l{ are defined as l|+i. An exclusive OR circuit 22 
exclusively ORs I i*, and 0| and an output thereof 
is encoded by the encoder 21 by using the key K. ' 

Ek(li*i + Oi)-*Oi*i 



Step 3: 

If i < n-1, i is incremented by one and the 
process returns to the step 2. If not i < n-1. Oi*, = 
On is outputted and the process is tenminated. The 
RSA system digital signature is made only to the 
data having the finally produced cryprtograph bkxrfc 
(Hash total) On and data information added thereto. 

In this system, even the digital signature to the 
long message can be processed in a short time. 

The above systems do not meet the above- 
mentioned condition (c) of tfie digital signature, that 

f is, "^e^eoder^cannot later de ny the fact of tran sr 
mission". In Se^ysBifrwhicriTjges^ffieF^ie con- 

_^^fi53°IiaLjayptQgraph_-or-the-publie-key~crypt^ 
9'^!l»JtA^s„enderJalseiy_Jnsists-,that_the„secret 

^l<ey"has been stolen and so^meQDftJ3ie_pre 

;7aami?yimWaug Tonzatgn^^ determme" 
whe ther it is true or not. 

Fthe secret key lias been actually/ ^olen. it 
tums out that all messages signed before are un- 
creditable. Accordingly, in the digital signature, 
there is a sever requirement that the secret key 
must b absolutely protected. 



As described above, ti^e. condition (c) is not 
met so long as the signatures are made by only 
the two persons, the sender and the receiver. 

It has been proposed to meet the condition (c). 
5 by communicating through a reliable authentication 
(notary) organization. Rg. 3 illustrates a prindpl 
tiiereof. 

In Rg. 3. a sender 34 sends a data consisting 
of message and signature to an authentication or- 
70 ganization 31. The autiientication organization 31 
adds date information to the received data 35 to 
prepare data 32, which is sent to a receiyer 33 and 
also recorded in a log 37. The sender 34 cannot 
later deny his message because tfie record is 
TS logged in tiie log 37 of the autiientication organiza- 
tion 31 . In this case, the sender may insist that the 
secret key has been stolen and someone has 
forged the message. Such insistence can be pre- 
vented by sending the same data 36 as the data 32 
20 back to the sender 34 for confirmation. 

Other problems are who the authentication or- 
ganization should be and a large volume of mes- 
sage to be recorded. 

As a modification of (3). a method for determin- 
es ing a Hash total by data compression encoding by 
DES in the hybrid digital signature is explained with 
reference to Rg. 4. 

In Rg. 4, the following steps are carried out. 

30 

Step 210: 

An input message M is divided into n 56-bit 
blocks Ml . M2. Mn 

35 

M » Ml, M2, Mn 



Step 202: 

40 

A parity bit is added to every seven bits of Mi - 
(I = i, 2, n) to produce Ki (i = 1, 2, n). 



45 Step 203: 

The following step is repeated for j = 1.2, 

50 10-1) is encoded by using iq as a cryptograph key. 
and the encoded result and l(i-1) are exclusively 
ORed to produce l(|). 

IQ) - IQ-I) • EKi (l(i-1)) 

55 

where l(o) is an initial value. 
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Stop 204: 

H(M) = l(n) - 

OigitaJ signature by the RSA system is made to 
the resufting cryptograph block compression en- 
coded message H(M). 

Referring to Rg. 2B, a method of digital signa- 
ture by the hybrid system is explained. 

A sender 301 calculates a short character 
string H(M) from a message M 302 by the data 
compression encoding, produces a digital signature 
E (H(M) . S k) 306 by an encoder 305 by using a 
secret key Sn 304 and sends rt to a receiver 307. In 
order for the receiver 307 to recognize that the 
message 302 and the digital signature 306 are true 
and valid, the receiver 307 decodes the digital 
signature E (H(M) , S^) 306 by a decoder 309 to 
produce the original character string H{M) * 310. 
and calculates a character string H(M) "311 from 
the message 302 in the same manner as the 
sender 301 did. Both are compared by a compara- 
tor 312 and if they are equal, the message 302 is 
true and valid so long as the receiver believes that 
the sender 301 is a sole ovmer of the secret key Sk 
304. 

In this method, the digital signature to a tong 
message can be processed in a short time, but this 
method does not meet the condition (d ^jthe re- 
^(Wiver canno t later deny the fa ct of r»t^Rtim]Ll5r 
^ihe-rBCxAsmrmer denies the fact of reception, the 
sender has no evidence to deny it 



SUMMARY OF THE INVENTION 

It is an object of the present invention to pro- 
vide an electronic transaction which eliminates the 
disadvantages In the digital signature encountered 
in the prior art system, realizes a furiction of an 
authentication organizatran, reduces the quantity of 
message to be recorded concerning such as the 
content of a contract and meets the following con- 
ditions. 

(1) Only a sender can prepare a signed 
message. It cannot be forged by a third party. 

(2) A receiver cannot alter the signed mes- 
sage. 

(3) The sender and receiver cannot later 
deny the facts of transmission and reception, re- 
spectively. 

In order to achieve the above object one fea- 
ture of the present invention includes the. following 
steps. / 

§ Sender and receiver are checked. / 
Content certificate function is added. 
The sender or receiver is double- 
checked by the possession of a secret k y and a 
terminal r sponse. 



an 



(2) A time limit to an effective period for 
electronic seal is set 

(D A grace period is added to the electronic 
seal. _ • 

5 © A tally impression is sent from the re- 

ceiver back to the sender. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



Fig. 1 is a flow chart of a prior art digital 
signature procedure which uses a publk: key cryp- 
tograph system. 

Figs. 2A, 2B and 4 show principles of known 
75 data compression cryptograph, 

Rg. 3 shows a prior art digital signature 
system whk:h uses an authenticatkm organization, 

Rg. 5 shows a first system configunation of 
an electronk: transaction system to which the 
so present invention is applied. 

Rg. 6 shows a flow chart of a procedure in a 
first embodiment of the present invention, 

Rg. 7 shows a flow chart of a procedure in a 
second embodiment of the present invention, 
26 Rg. 8 shows a flow chart of a procedure in a 

third embodiment of the present invention, 

Rg. 9 shows a second system configuration 
of the electronic transaction system to whk:h the 
present invention is applied. 
30 Rg. 10 shows a flow chart of a procedure of 

a fourtin emtxxJiment of the present invention, 

Rg. 11 shows a third system configuration of 
the electronic transaction system to which the 
present invention is applied, arKt 
35 Rg, 12 shows a flow chart of a procedure in 

a fifth emtxxliment of the present invention. 



DESCRIPTION OF THE PREFERRED EMBODI- 
40 MENTS 

In order to fadlitate the understanding of the 
present invention, the contents of the above items 
® -(§) are explained in detail. 

45 

Confirmation of sender and receiver 



In the following description, the sender of the 
transaction message is referred to as a signer and 
the receiver is referred to as a certifier. 

Two sets of public key and secret key in the 
public key cryptograph system are prepared. They 
are (public key, secret key) : (PKs, SKs) and (PKn. 
55 SKr). where SK 5 is owned only by the signer and 
SKfi is owned only by the certifier, and PKe and 
PKr are copied to all concemed. 
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Assuming that a message M cx)nsists of m 
binary bits, the following is met in th public key 
cryptograph system. 

M = E (D(M. SKs), PKs s 
= E(D(M. SK^ PKr .....(1) 

where D f , K) is a message decoded from a 
message ' by a key K, and E r. K) is a cryptograph io 
encoded from the message ' by the key K. The 
same message is supplied to the signer and the 
certifier, who decode it by their own secret keys 
and the decoded resuHs D (M, SKs) and D (M. 
SKr) are disclosed to the persons concerned, who is 
encode D (M. SKg) and D (M, SKr) by using the 
signer's and certifier's public keys PKs and PK r ' 
which the persons concerned possess. The per- ' 
sons concerned can confirm that the formula (1) is 
met if the signer and the certifier properly used 20 
their secret keys. If the formula (1) is not met the 
persons concemed may determine that the secret 
key of the signer or the certifier is not valid. 

For example, if the signer forges the signed 
message by using a false secret key SKs*( ^ SKs ) £5 



E (D(M. SKsO PKs) ^ E (D(M. SKg) . PKg) 

E (D(M, SKsT PKs * E (D(M. SKr) . PKr) „(2) 30 

Thus, the persons concemed may determine that . 
the secret key used by the signer or the certifier is 
an unauthorized one. 

It is very rare that the formula (1) is met in 35 
spite of the fact that the signer or the certifier 
forged the signed message by using the false 
secret key. because, assuming that the length of 
the message M is 200 bits, a probability that the 
formula (1) is met by the false secret key S is 1/2*" 40 
*^ 6 X 10-*\ which is negligibly small. 

It Is difficult for a third person to steal the 
secret key of the signer or certifier and transact as 
if he were the signer or certifier, because the true 
signer and certifier, who are also the persons con- 46 
earned, can detect a third person who transacts in 
place of the signer or certifier once the D (M. SKs) 
or D (M, SKr) is disclosed. 

Where the key K for D C. K) is kept in secret, it 
is difficult for a third person who is unaware of the so 
secret key K to forge a key K' for the message M 
to meet D (M, K) « D (M, K'). 

The D (M. K) thus prepared is hereinafter re- 
ferred to as an electronic seal by the owner of the . 
secret key K. and the message M for certifying the ss 
validity or authenticity .of the electronic seal is 
ref rred to as certificate data. If a person who * 
received the electronic seal has a corresponding 



public key, he/she can detect who. prepared the 
electronic seal and the content of the message. 
However, other person than the owner of the secret 
key K cannot produce the electronic seal D {M. K) 
based on the certificate data M. The same certtf'^ 
icate data is decoded by the signer and certifier by 
their respective secret keys and the decoded re- 
sults D (M. SK s) and D (M. SKr) are exchanged 
between both. The certifier can confirm that the 
sender of D (M, SKs) is the signer himself if the 
certifier can get M in accordance with the fonmula - 
(1) by encoding D (M. SKs) by the public key PKs 
of the signer. The signer can also confirm that th 
sender pf D (M. SKr) is the certifier himself if th 
signer can get M in accordarice with the formula - 
(1) by encoding D (M, SKr) by the public key PKr 
of the certifier. When the persons concemed are 
presented with D (M. SKs) and D (M. SKr) from the 
signer or certifier, they encode D (M. SKs) and D - 
(M, SKr) by using the public key PKg of the signer 
and the public key PKr of the certifier. The per- 
sons concemed can determine whether the secret 
key used is authorized one or not by checking if 
the formula (1 ) is met or not 



@ Addition of content certificate function 

In order to certify the content .of the trans 
mitted data, a message I is data compresskjn ea- 
coded (Rg. 2) by using the key K. High order m 
bits of the finally produced block On is used as a 
Hash total (I, K) for the message I. 

Assuming that m =64 and different messages I 
and r are data compression encoded, a probability 
of 

C (r, K) = C (I. K)..... (3) 

is 1/2" ii 5 x 10-**. which is almost null. 

When the signer sends a message, he/she 
data-compression-encodes It and opens the Hash 
total (data compression encoded message) to the 
persons concemed. The signer and certifier keep 
the originals of the message. Thus, if an issue later 
occurs on the original, the original may be again 
data-compression-encoded to check whether it 
matches to the initial original. 

The message I may be used as an encoding 
key in an encoding system for certifying the con- 
tent A predetenmined input data 10 is encoded by 
the encoding key to produce a Hash total C (10. I). 
In the present encoding system, it is difficult to 
detemnine the encoding key I firom the input data 10 
and the output data C (10. 1) which both have been 
received. 
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Assuming that th length of the output data is 
64 bits and diferent messages I and J* are used as 
the encoding key, a probatMlity of 

C (10. V) = C (10, I)..... (4) 

is 1/2^ M 5 X lO-**, which is almost null. 

The C (10, I) is inserted in the certificate data 
at a predetenmined position so that C (10, I) is 
reproduced from the certificate data. When the 
signer, certifier or person concerned gets the mes- 
sage !• and C (lO. I), he/she first encodes the data 
10 by using the message I' as a key. arK* then 
compares the encoded resuit or Hash total 0 (10, 
I*) with C (10. I). If they are equal, it means that the 
given message r is equal to the original message I, 
and if they are not equal, it means that the given 
message V is not equal to the original data 1. 

Double check of the signer and certifier by the 
possession of the secret key and the terminal re- 
sponse 

The transaction procedure is established such 
that the signer and certifier respond to the call from 
the partner before they inputs their own secret 
keys. Thus, if the secret key is stolen by a third 
person, who intends to involve in the electronic 
transaction, at least one call is made by the signer 
or certifier before the transaction is executed. Ac- 
cordingly, the signer or certifier can detect the third 
person's involvement 

©Addition of time limit of effective period of 
electronic seat 

When the signer and certifier make their elec- 
tronic seals and tally impressions, they add dates 
which Indicate the effective period of the eiecti-onic 
seals and tally impressions. This indicates to the 
transaction partner who received the electronic seal 
and tally impression a due date to respond, and 
declares that the transaction will be terminated and 
the electronic seal and tally impression so far ex- 
changed will become ineffective unless response is 
received by tiie due date. If ttie signer or certifier 
does not receive tfie response to the electronic 
seal and tally impression he/she sent, he/she ir>- 
forms it to the authentication organization together 
with the electronic seal and tally impression so that 
the electronic seal and tally impression are invali- 
dated. Thus, if the signer or certifier intentionally 
attempts to delay ttie execution of the transaction 
by non-retuming the response, the authentication 
organization auttienticates that ttie electronic seal 
and tally impr ssion so far exchanged ar invalid 



and the transaction has been terminated. Accord- 
ingly, safety in the transaction procedure is as- 
sured.. 



(5) Addition of grace period for electronic seal 

When the signer or certifier prepares his/her 
electronic seal and tally impression, he/she adds a 
10 grace period date for the electronic seal and tally 
impression at a predetenmined position on the cer- 
tificate data. This means to indicate' to tiie partner 
of transaction who received the electronic seal and 
tally impression a grace period during which the 
rs partner is permitted to tenminate the transaction. 
Before or during ttie grace period, ttie partner can 
terminate the transaction and declare ttiat ttie elec- 
tronic seal and tally impression so far exchanged 
are invalid. TTius. if the signer or certifier finds any 
20 defect in the transaction or finds that ttie electronic 
seal or tally impression received from ttie partner is 
unauttwized one. after ttie signer or certifier has 
sent the electronk: seal and tally impression, 
he/she informs it to the authentication organizatiori 
zs together witti ttie electronic seal and tally impres- 
sion so that the electronic seal and tally impression 
are invalidated. Thus, if an invalid transaction is 
made or if an opposition is k)dged to the received 
electronic seal or tally ImpresskMi, the authentica- 
30 tion organization will auttienticate ttiat the electronic 
seal and tally impression so far exchanged are 
invalid and ttie transaction has been terminated. 
Accordingly, safety in ttie transaction procedure is 
assured. 

3S 

Transmission of tally impression from certifier 
to signer 

^ When the certifier receives tfie message M 
from the signer and confirms the content of the 
message M and agrees to the to^sactibn, he/she 
prepares Hash totals h, = H. (M) and h, » H, (M) 
for a predetermined data 10, and combines high 

45 order bit sequence h, vritti a time data T to produce 
a tally impresskxi certificate data (T. h,). The tally 
impression certificate data is decoded by ttie se- 
cret key SKr of ttie certifier to prepare an elec- 
tronic tally impresskDn D ((T, h,) , SK «), which is 

50 sent to the signer as a response of agreement to 
ttie transaction by ttie message M. The signer 
encodes the electronic tally impression (D ((T. h,), 
SKr) by ttie public key PK« of ttie certifier to 
produce the original tally impression certificate data 

55 E {D((T. hO, SKr). PKp) « (T, h,). The signer 
confirms the fact tiiat the high order bit sequence 
hi of the Hash total of th message M is included 
in ttie electi-onic seal which can be prepared only 
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by the certifier, and the sign r may use It as a 
counterevidence when the certifier later denies the 
fact of transaction and does not send back th 
electronic seal of the certifier and escapes with the 
electronic seal of the signer. 

The present invention is now explained for spe- 
cific emtxxtiments. 

Fig. 5 shows a* configuration of an electronic 
transaction system to which the present invention 
applies. Rg. 6 shows a flow chart of a procedure 
for emtDOdying the present invention in the configu- 
ration of Rg; 5. 

Where a creditability of Journal management in 
an intermediation terminal 406 of Hg. 5 is high, the 
elements in Rg. 5 are operated in accordance with 
tiie flow chart shown in Rg. 6. 



Step 601: 

A signer 401 prepares a contract 1 by a signer 
terminal 404 and records it in the signer terminal 
404. He/she also enters a name of the signer 401 
and a name of a certifier 409 to the signer terminal 
404. 



Step 602: 

The signer terminal 404 sends the contract I 
and the name of the signer 401 to a certifier 
terminal 407 via the intermediation terminal 406. 



Step 602(a): 

The intermediation terminal 406 records the 
transmitted contract I. 



Step 603: 

The certifier terminal 407 calls fhe certifier 409 
and displays the contract I and the name of the 
signer 401 . 



Step 604: 

The certifier 409 watches the display of the 
certifier tenminal 407 to confirm the contract of the 
signer 401 and depress a certificate accept button. 



Step 605: 

The certifier t rminal 407 prepares received 
date as a certificate data such as "14:35:14. Feb- 
s mary 19, 1985*. 



Step 606: 

70 The certifier 409 inputs a certifier secret key 

SKr. 



Step 607: 

76 

The certifier tenminal 407 prepares a certifier 
electronic seal T = D (M. SKr) by decoding ttie 
certificate data M by the secret key SKr of ihe 
certifier 409, and sends it to tiie signer 401 at the 
20 signer terminal 404 via the Intermediation terminal 
406. 



Step 608: 

25 

When the intermediation terminal 406 receives 
T, it immediately opens it to persons concerned by 
transmitting it to the persons concerned, or printing 
It on publication. 

30 

Step 609: 

When a signer temtinal 404 receives T, It en- 
35 codes rt by the certifier public key PKr to repro- 
duce the original certificate data. 

M = E(D(M. SKr).PKr) 

40 It checks the content of the certificate data and 
checks the following. 

(1) If tfie time shown in tiie M is close to tiie 
reception time at the signer terminal 404. whether 
the true certifier 409 is actually present at the 

45 certifier terminal 407. 

(2) If tiie time shown in the M is far from the 
reception time of the signer terminal 402 or makes 
no sense, it is judged that a false certifier is 
present at the certifier terminal 407. 

50 In the present example, M is "14:35:14 Feb- 

mary 19. 1985" and tiie decision (1) is made. If (2) 
is met. a message to terminate the transaction is 
sent to the certifier 409. 

55 
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Step 610: 

The signer 401 enters the signer seer t key SK 
s to the signer terminal 404, 



Step 611: 

The signer terminal 404 decodes the certificate 
data by using the signer secret key SKs to the 
reproduced certificate data to prepare a signer 
electronic seal V. 

V = D (M. SKs) 



Step 612: 

The signer terminal 404 sends the V prepared 
in the step 611 to the certifier terminal 407 via the 
intermediation terminal 406. 



Step 613: 

The intemriediatlon terminal 406 data- 
compression-encodes the set of V and I by using 
an intermediation tenminal secret key B. 

W » C(B. (V. I)) 

The contract I has been recorded in the inter- 
mediation terminal 406 in the step 602 (a). The V 
and W are- opened to the persons concerned in the 
same manner as that in the step 608. 



(2) If M* does not match to the certificat 
data M prepared in the step 605. It is judged that a 
false signer is present at the signer t rminal 404 
and a transaction rejecf signal is sent to the inter- 
5 mediation terminal 406. 



Step 616: 

10 When the intenmediation terminal 406 receives 

the transaction accept signal, it sends a signal of 
transaction agreenr>ent to the signer terminal 404 
and certifier terminal 407 and records T. V and W. 
The contract I is deleted from the record. 

IS When the intermediation terminal 406 receives 

the transactton reject signal, it sends a signal of 
transaction disagreement to the signer terminal 404 
and certifier tenninal 407, and deletes the records 
of T. V, W and 1. 

20 

Step 617: 

When the certifier terminal 407 receives the 
25 signal of transaction success, it records the con- 
tract I and the T. V. W in the file 411. and the 
certifier keeps the file 411. 



30 Step 618: 

When the sigrier terminal 404 receives the 
signal of trarisaction success, it records the con- 
tract I and the T. V, W in the file 403, and the 
35 signer 401 keeps the file 403. 



Step 614: 

When the certifier tenminal 407 receives the V, 
it encodes it by using the signer public key PKs- 

M' « E (V, PKs) 

="6(0 (M. SKs) . PKs) 



Step 615: 

The certifier terminal 407 checks if the en- 
coded result M* in the step 614 matches to the 
certificate data M in the step 605. 

(1) If M' matches to the certificate data pre- 
pared in the step 605, it is judged that the signer 
401 himselfyherself is actually present at the signer 
terminal 404 and a transaction accept signal is sent 
to the intermediation terminal 406. 



Modification 1 of the first embodiment 

40 If the contract I is confidential information, the 

encoding of the contract by a conventional cryp- 
tograph may be added. A secret key X of the 
conventional cryptograph has been previously ex- 
changed between the signer and the certifier, and 

46 the secret key X is also sent to the intermediation 
tenminal 406. The steps 602, 602 (a) and 603 are 
modified as folk>ws. 



50 Step 602: 

The signer tenninal 404 prepares a crypto- 
graph r by encoding the contract I by using ttie 
secret key X of tiie conventional cryptograph. 
55 Then, the signer terminal 404 sends the cryp- 
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tograph 1' of the contract and the name of the 
signer 401 to the certifi r terminal 407 via the 
intermediation terminal 406. 



Step 602.(a): 

The intemnediation tenriinal 406 decodes the 
cryptograph I' of the contract by using the secret 
key X of the conventional cryptograph to prepare 
the original contract I. Then, the intermediation 
terminal 406 records the name of the signer 401 . 
the name of the certifier 409 and the contact I. 



Step 603: 

The intermediation terminal 406 decodes the 
cryptograph I' of the contract by using the secret 
key X of the conventional cryptograph to prepare 
tiie original contract 1. Then, the certifier terminal 
407 calls the certifier 409 and displays the contract 
1 and the name of the signer 401 , 



Modification 2 of the first embodiment 

In the step 606 or 610 of the first embodiment, 
if the certifier secret key SKr or signer secret key 
SKsto be entered by the certifier or signer is long, 
a certain number of bits of the secret key may be 
recorded on a magnetic card and the remaining 
bits are memorized by tfie certifier 409 or signer 
401 as a secret number. When the certifier 409 or. 
signer 401 enters the secret key» he/she sets the 
magnetic card and enters the secret number, and 
the terminal synthesizes the secret key based on 
those input information. 

In a second embodiment, a high creditability is 
not put on the Intemnediation terminal 406 of Rg. 5 
but the journal Information is replaced by the elec- 
tronic seal to eliminate the joumal management. 
The operations of the elements in Rg. 5 are ex- 
plained with reference to a flow chart of Rg; 7. 

Step 501: 

The signer 401 enters a transaction message I 
to the signer terminal 404 and enters the secret 
key SKs of himselMierself, the name of the signer 
401 and the name if the certifier 409. 



Step 502: 

Th signer terminal^ 404 prepares Ek (1) by 
encoding the transaction message I by -using the 
5 cryptograph key k. and sends Eic (I) . tiie name of 
the signer 401 and the name of the certifier 409 to 
the certifier terminal 407. 



70 Step 503: 

The certifier terminal 407 decodes the transac- 
tion message i by using the cryptograph key k. 

IS I = Dk (E,(l)) 

and it displays the transaction message I on a 
screen of the certifier terminal 407. 

20 

Step 504: 

The certifier watches the transaction message I 
displayed on the display screen of the certifi r 
25 terminal 407, and if he/she Judges that he may 
proceed with the transaction, he/she enters his/her 
secret key SKr. 



30 Step 505: 

The certifier terminal 407 prepare data T of a 
predetermined format i^r example, ttie data T 
represents a current time such as "15:32:12 April 
35 11.1985-. 



Step 506: 

40 The data D is decoded by using the secret key 
R in a predetermined public key cryptograph sys- 
tem to prepare D (T. SKr), which is sent to the 
signer terminal 404 via the intermediation terminal 
406. 

45 

Step 507: 

The intermediation terminal 406 starts its op- 
60 eration in response to the reception of D (T. SKr). 



Step 508: 



The signer terminal 404 encodes D (T, SKr) by 
using the certifier public key PKr to pr pare T = 
E (D(T, SKr). PKr). If T* matches to the predeter- 
mined format, it is judged that the c rtifier 409 
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hims tf/herself is actually present at the certifi r 
terminal 407. In the present example, since th 
content of T is same as that of T. that is, "15:53:12 
April 11. 1985". the atx)ve judgement is made. 



Step 500: 

The signer 401 knows that the certifier 409 
himself/herself is present at the certifier terminal 
407 and the certifier 409 has judged to accept the 
transaction of the transaction message I. The sign- 
er 401 depresses the seal accept button of the 
signer terminal 404 in order to prepare his/her 
electronic seal. 



Step 510: 

The signer terminal 404 prepare the following 
cryptograph data C (10, I) by using the transaction 
message I as the cryptograph key. 

(1) Cli(IO) is a j*bit length output data derived 
by encoding a j-bit length input data 10 by an m-bit 
length cryptograph key h. The cryptograph system 
has been predetermined. In this cryptograph sys- 
tem, it is difficult to determine the cryptograph key 
li based on the input data 10 and the output data ICi 
(K)). 

(2) The transaction message is sectioned 
into n m-bit blocks l„ I,. ... I„. If the length of the 
last block I„ does not reach m bits, "I" bits are 
added to attain the m-bit bkx:k 1^ 

(3) The input data 10 is encoded by the Key I 
(ito produce O,. 

Cli (I) - 01 

i = 1 

(4) Oi is encoded by the key li*i to produce 

CIk, (0,)-*OI|., 

(5) i + 1 — i. If i S n-1 . the process returns to 
(4). Othen^vise, Ot*i = 0„ is outputted. 

The encoded message 0„ is called a Hash 
total of the transaction message I and expressed 
by C (10, 1). 

C (10. I) * O „ 

T and C (10, 1) are combined to prepare 
W a (T, C(IO. I)) 



Step 511: 

W is decoded by the public key cryptograph 
system by using the secret key SKs to prepare the 
6 eiectronic seal D (W, SKg), which is sent to the 
certifier terminal 407 via the ihtermediati©n terminal 
406. 



10 Step 512: 

The intermediation terminal 406 records D (W 
SKg). 

IS 

Step 513: . 

The certifier tenninai 407 encodes D (W, SKs) 
by the signer public key PKs to prepare W. 

20 

W = E {D(W. SKs) . PKs) 

It also prepares a Hash total C (10, I) to the 
transaction message I in the same manner as the 
25 step 510. 

If r « T and C (lO. V) « C (10, I) when W ^ 
(T , C(IO. r)). "T' « T and C (10. V) = C(IO, I)" is 
displayed on the screen. 

30 

Step 514: 

The certifier 409 watches T « T and C (lO, 
I') = C (lO. !)" displayed on the certifier terminal 

35 407 to judge that D (W. SKg) was prepared by the 
signer 401 himself/herself based on the transaction 
message I, and decides to prepare and send the 
electronic seal of the certifier 409 himself/herseff. 
He/she depresses an electronic seal prepare/send 

40 button of the certifier terminal 407. 



Step 515: 

45 The certifier terminal 407 decodes W by the 

public key cryptograph system by using the cer- 
tifier secret key SKn to prepare the electronic seal 
D (W, SK«). ft sends D (W, SKr) to the inter- 
mediation terminal 406 and the signer terminal 404. 

50 

Step 516: 

The intermediation tenninal 406 records D (W, 

55 SKr). 
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Step 517: 

The signer terminal 404 encodes D (W, SKr) 
by the public key cryptograph system by using the 
certifier public key PK r to prepare W". 

W- = E (D(W. SKr) . PK r) 

If W = W, it is judged that D (W, SKr) was 
prepared by the certifier 407 himself/herself based 
on the transaction I, and the signer terminal 404 
sends a signal "acknowledged" to the intermedia- 
tion terminal 406. 



Step 518: 

When the intermediation terminal 406 receives 
the "acknowledged" signal from tiie signer terminal 
404, It erases the recorded D (W, SKs) and D (W, • 
SKr) and terminates the operation. 



Step 519: 

The signer temninai 404 records the transaction 
message I. electronic seal D (W, SK^) of the signer 
401 and electronic seal O (W. SKr) of the certifier 
409 in the certifier file 411. and terminates the 
operation. 

Step 520: 

The certifier terminal 407 records the transac- 
tion message I, electronic seal D (W, SKs) of the 
signer 401 and electronic seal D (W, SKr) of the 
certifier 409 in the certifier file 41 1 . and terminates 
the operation. 



Step 521: 

The signer 401 keeps tiie signer file 403. 



Step 522: 

The certifier 409 keeps tiie certifier file 411. 



Modification 1 of second eml3odiment 

In the -step 518 of the second embodiment the 
intermediation terminal 406 may record the elec- 
5 tronic seals D (W, SKs) and D CW, SKr) instead of 
erasing them* to keep them as an evidence of 
transaction. 



70 Modification 2 of second embodiment 

In the steps 501 and 504 of the second em- 
bodiment a portion of information on the secret 
key may be recorded In a magnetic card or IC card 

rs and the slgnal/certifier memorizes the rest of the 
information on the secret key as a secret number. 
When the secret key SKr is to be entered, the 
secret key is synthesized from the readout of the 
information from the magnetic card or IC card and 

20 the key entry of the secret number. 



Modification 3 of second , embodiment 

25 In the step 501, 504. 509 or 514 of the second 

embodiment, a checking function of the person by 
voice pattern or fingerprint before input operation 
may be added to the terminal. 

Rg. 8 shows a flow chart of a procedure for 

30 transacting by an electronic seal with a time limit 
for an effective period in accordance with a third 
emtxidimerrt of the configuration shown in Rg. 5. 

Steps 711 -713 which are different firom ttio 
flow chart of Rg. 7 are primarily -explained. 

3S 

Step 711: 

The signer tenminal 404 prepares the time limit 
40 of the effective period of the electronic seal in a 
predetermined data format to set the time limit V. 
For example, tiie time limit V Is "17:30:00 April 11 
1985", 

The previously prepared T and C (10. I) and 
45 the V are combined to prepare 

W = (V. T, C (lO. I)) 



50 Step 511: 



W is decoded by the public key cryptograph 
system by using the secret key SK s to prepare D 
(W. SKs) , which is sent to the certifier terminal 
55 407. 
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St p712: 

Th certifier terminal 407 encodes D (W. SKs) 
by the signer public key SK r 408 to prepare Vf, 

W « E (D(W, SKs). SK r) 

It also prepares a Hash total C (lO. 1) for the 
transaction message I in the same manner as the 
step 510. 

If T = T and C (10, I') = C (10, I) and V* is of 
a predetermined format when W = (V, T, C (lO. 
I)), then = T and C (lO. 1') = C (ID. I)- and 
mme limit of electronic seal = V " are displayed 
on the screen. In the present example, the content 
of V is same as that of V. that is, "ISzaOKX) April 
11,1985V 



Step 713: 

The certifier 409 watches 'T' » T and C (10, 
I') « C (10. I)" and "Time limit of electronic seal = 
V - displayed on the certifier terminal 407 and 
judges that D (W. SKs) was prepared by the signer 
401 himself/hersel based on the transaction mes- 
sage I and the time limit is V*. and decides to 
prepare and send the electronic seal of the cer- 
tifier. He/she then depresses the electronic seal 
prepare/send button of the certifier terminal 407. 

In the third embodiment the second and third 
modifications of the second embodiment equally 
apply- 
In accordance with the above first and second 
embodiments, the electronic transaction which 
meets the fofiowing conditions is provided. 



[I] Advantages concerning the first embodiment 

(1) Only the sender can prepare the signed mes- 
sage. It cannot be forged by a third person. 

This is t>ecause the encoded message V of the 
certificate data can be prepared only by using the 
secret key SKs which is owned only by the signer. 
If the third person attempts to transact with V other 
than V of the certificate data, the certifier can 
detect in the step 614 that the signer is a false one, 
and the persons concerned who have the public 
key PKs can detect that the transaction is not 
effective because the encoded results of T and V 
publkazed by the intemnediatfon temninal. by using 
the public key PKs of the certifier and signer do not 
match each other. 



(2) The receiver cannot modify the signed mes- 
sage. 

The set of the encoded message V of the 
5 certificate data and the contact message I is data- 
compression^ncoded by the' secret key B . of the 
intermediation terminal and the resulting Hash total 
W is recorded and opened to the persons con- 
cerned. Accordingly, if one of the parties who has 

10 the encoded message V of the certificate data and 
the contract message I brings the data and en- 
codes the contract message by the certifier public 
key PKb in font of the other party, and causes the 
intenmediation terminal to data-compfession-en- 

T5 code the set of the encoded message and V to 
produce W, and W is compared with the pre- 
viously opened result W, then the content certifica- 
tion is attained. If W » w, the contents are iden- 
tical and rf W * w. the contents are not identical. 

20 Because the .encoded messagiss T and V of 
the certificate data are opened to the persons con- 
cerned during the transaction, the persons con- 
cerned can check who are now transacting. Ac- 
cordingly, it is hard to a third person who has 

25 stolen the secret key to conduct an unauthorized 
transaction as if he were the sender or receiver. 



(3) The sender and receiver cannot later deny the 
30 fact of transmission and reception. 

In order for the electronic transaction to t>e 
effective, the party must enter Its secret key at 
least once and responds to the call from the other 
35 party. That is, the party is double-checked. When 
the party responds to the call in the temninal, the 
person may be checked by the fact that he/she has 
the magnetic card as shown in the nrwdification 2 
of the embodiment or the person may be checked 
40 by the voice pattern or fingerprint so that the 
personal check functron is further enhanced. 

Since the encoded messages T and V of the 
certificate data are opened to the persons con- 
cerned during the transaction, the pereons con- 
45 cemed can check who are now transacting. Ac- 
cordingly, it is hard for a third person who has 
stolen the secret key to conduct an unauthorized 
transaction as If he/she were sender or receiver 
because it may be detected by the true sender or 
50 receiver or the persons concerned. 

The Hash total W for assuring the content of 
the contract message I is once opened arKj then 
recorded and kept in the intermediation terminal. It 
is therefore difficult to deny the fact of transmission 
55 or reception by modifying or destroying ttie record. 
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" In the present system, the .content of commu- 
nication is not disclosed when the data is opened . 
at the intemiediation temiinal. What is opened at * 
the intemiediation temriinaJ is not the communica- 
tion text itself but the Hash total which is prepared 5 
by data-compresston-encoding the set of the com- 
munication text and the encoded message of tha 
certificate data. It is impossible to estimate the 
communication text based on the Hash total. 

Since the data which the intermediation termi- jo 
nal records and keep are the certificate data T and 
V and the Hash total W. the load for maintenance 
is lower than that when the entire contract nnessage 
I is maintained. 



[II] Advantages concerning the second embodiment 

(1 ) The third person cannot conduct transaction as 

if he/she were the signer by the following reasons. 20 

(a) Check of possession of secret key. 

The electronic seal O (W. SKs) can be pre- 
pared only by using the secret key SKs which only 25 
the signer possesses. If the third person prepares 
the electronic seal D (W. SKs') by the key SK s* 
other than the secret key SKs, the certifier terminal 
detects that it is a false electronic seal in the step 
513. 30 

n is difficult for the third person to conduct the 
transaction unless he/she knows tha secret key of 
the signer. 

35 

(b) Check by response to call 

The third person who attempt to conduct an " 
unauthorized transaction must depress the seal ac- 
cept button in the step 509. The certifier depresses 4o 
the transaction accept button in the step 504 and 
the call is made to the signer in the step 508. 
Accordingly, it is hard for the third person to con- 
duct the transaction unless he/she prevents the 
signer from responding to the call, 45 



(2) Third person cannot conduct unauthorized 
transaction as if he/she were certifier by the follow- 
ing reasons. 50 

(a) Check by the possession of secret key 

The electronic seal D (W, SKr) can be pre- 
pared only by using the secret key SKr which is 55 
possessed only by tiie receiver, if the third person 
prepares the electronic seal 0 (W» SKr) by the key 
SKr* other tiian the secret key SKr. the signer 



terminal detects that it is a false electronic key In 
the step 517. The same is true for the decoded 
message D (T, SKr) of the ID. A false message D - 
(T, SKr') is detected in the step 508. Accordingly, 
it is hard for the third person to conduct the trans- 
action unless he/she knows the secret key of th 
third person. 



Check by response to call 

The third person who attempts to conduct the 
unauthorized transaction must depress the transac- 
tion accept button and tine seal accept button in th 
steps 504 and 514. The call to tiie signer is first 
made, and then the call to the certifier is made In 
the certifier terminal. Accordingly, it is hard for the 
third person to conduct the transaction unless 
he/she prevents the certifier from responding to the 
call. 



(3) Certifier cannot modify the transaction message 
by the following reasons. 

(a) Check by possession of secret key 

Let us assume that the certifier prepared a 
forged message T of the transaction message I. In 
this case, the certifier cannot prepare the electronic 
seal D (W, SKs ) which the signer shouW hav 
prepared. 

W- = (T, C (10, 1)) 

Since the certifier is unaware of the secret key SKs 
of the signer, he/she cannot prepare D (W, SKs) 
when W is given. Let us assume that the certifier 
has prepared D (W. SKs) by using the. key SKg 
having a bit length of 200 bits. A protxability that 

D (W, SKs') D (W. SKs) 

is 1/2** 6 X 10-*'. which is practically null. If a tiiircl 
person in a fair position calculates E (D(W. SKs). 
PKs) and E (D(W. SKr). PKr) for tiie certifier data 
r. and D (W. SKs') and D (W. SKr), those do not 
match. It is ttius seen that one of the electronic 
seals is false and the data set of tiie certifier is 
invalid. If SK,' is the tme secret key. 

W = E (D(W. SKs*). PKs) 

= E (D(W, SKr). PKr) 
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should be met. Accordingly, it is hard for the third 
person to modify the contract messag unless 
he/she is awar . of th secret key ' of the signer. 



Check by response to call 

In the modification 1 of the embodiment, the 
evidences of the electronic seals D (W. SKs) and D 
(W. SKr) must have t>een left in the step 518. The 
certifier wtu) attempts to modify the transaction 
message must prepare the response to the call by 
the signer in the step 509 in order to leave the 
record. Accordingly, even rf the certigier coukJ 
know the secret key SKg of the signer, it is difficult 
for the certifier to modify the transaction message 
unless the certifier can issue the respcwrise in the 
step 509 without being noticed by the signer. 



(4) Signer cannot deny the content of transaction 
after transaction has been executed. 

This is by the same reason as that for (3) in 
which the certifier cannot modify the transactton 
message. 

In the present system, the content of commu- 
nication is not disclosed in the intermediation termi- 
nal. The information transmitted to the intermedia- 
tion terminal is not the communication text itself 
but the Hash total derived by data-compressiorb 
encoding the communication text, and it is impos- 
sible to guess the original communication text from 
the Hash total. 



(5) Certifier cannot escape with electronic seal of 
signer 

(a) Check by time limit of electronic seal 

The electronic seal D (W. SKs) of the signer 
includes the time limit V for the electronic seal 
which the signer has prepared in the predeter- 
mined form. 

W = (V, T. C (10. I)) 

If the response from the certifier is not received 
before the time limit V, the signer judges that the 
certifjer has no intention to conduct the transaction 
and invalidates the electronic seal D (W, SKs) by 
informing the electronic seal to the authentication 
organization. As a result, it is impossible for the 
certifier to escape with the electronic seal and 
make unauthorized use thereof. The authenication 



organization has a" function to assure th invalida- 
^on of the electronic seal and it is utilized only 
when the necessity to prove the invalidity of the 
electronic seal arises. 

s Rg. 9 shows anotho' configuration of the elec- 

tronic transaction system to which the present in- 
vention is applied, and Rg. 10 shows, a ftow chart 
of a procedure in a fourth embodiment of the 
present invention in the configuration of Rg. 9. 

10 The operations of the elements of Rg. 9 are 

explained with reference to the ftow chart of Rg 
10. 



ys^ Step 5010: 

The signer 401 enters the transaction message 
M from a message file 4020 to a.signer electronic 
>wsaction unit 404, and enters his/her secret key ; 
20 SKs. the name of signer 401 and the name of the 
certifier 426 by an tC card 4030. 



Step 5020; 

Ttte signer electronic transmission unit 404 en- 
codes the transaction message M by using^the 
message cryptograph key K of a message encoder 
4050 and a memory 4060 to prepare EK(M), and 
30 ^_se nd8 Ek(M), the name of the sig ner 401 and the 

J'^^^^^Jf^^^^^ tfirough a' communication cckv 



"trdl unit 413. 



35 



Step 5030: 



The sigrmr electronic transaction unit 404 pre- 
pares a compressed cryptograph H(M) by a com- 

40 pression function generator 4070 by using the 
transaction message M as a cryptograph key. 

<1) H(M) is in Brtit output data derived by 
compression-encoding an 8-bit input data 1(0) by 
an 8-bit cryptograph key K1. The cryptograph sys- 

45 tem has been predetenmined. In this cryptograph 
system, it is difficult to detennine the cryptograph 
key K1 based on the input data 1(0) and the output 
data H(M). 

(2) The transaction message is sectioned 
50 into n 58-bit btocks M1, M2. Mn. If the length 

of the last btock Mn does not reach 56 bits, bits 
"0" are added until the length of the block Mn 
reaches 56 t>it5. 

(3) One parity bit is added to every seven 
55 bits of the bk)cks so that the btock length is x- 

panded to 64 bits. The expanded bkxrks ar des- 
ignated by K1. K2. Kn. 
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(4) The input data is encoded by* the 
key Ki, and the encoded result is xclusively OHed 
with ) to produce I(i). 

I(i) « I(i-1) + EKi (10-1)) 

The above process is repeated for 1 = 1, 2. n. 
The initial value 1(0) is a predeterminer one. 

(5) The finally detennined l(n) in the step (4) 
is used as H(M), which Is divided into high order 
and low order data hi and h2. 

H(M) = (h1. h2) = l(n) 



Step 5040: 

The certifier electronic transaction unit 423 de- 
jx>des~BTe e ncoded nrtessaQeB <fM)by using the 
message encoder 422 and the oyptograph key K. 

M = DK {EK(M)) 

It informs the transaction message M to the cer- 
tifier 426. 



Step 5050: 

The certifier 426 watches the transaction mes- so 
sage M decoded in the step 5040. and if he/she 
judges that the transaction may be proceeded, 
he/she enters his/her secret key SKr by the IC 
card 424. 

* 35 

Step 5060: 

The certifier electronic transaction unit 423 r 
compression-encodes the transaction message M 4o 
by using the compression encoder 420 in the same 
manner as the step 5030 to prepare H(M) = (hi. 
h2). It also prepares a data in a predetermined 
format as an ID T by a clock generator 417. In the 
present example, the ID T may be a current time. 46 
for example. "15:53:12 April 11, 1985*. 



Step 5080: 

Th tally impression certificate data W1 is de- 
coded by the seal/tally impression encoder 415 by 
usin^ the secret key SKr by the predetennined 
public key cryptograph system to prepare D (Wl, 
SKr), which is sent to the signer electronic transac- 
tion unit 404. 



Step 5090: 

The signer electronic transaction unit 404 en- 
codes D (\Ari. sk r) by the seal/tally impression 
encoder 412 by using the certifier public key PKr 
of the memory 4060 to prepare Wl* » (E {P(W1, : 
SKr), PKr). The encoded result WV is compared 
by the comparator 4110. If T matches to th ; 
predetermined format and hi' is equal to hi pre- 
pared in the step 5030, it is judged that the certifi r ^ 
426 himself/herself is present at the certifier elec- ' 
tronic trarisaction unit 423. In the present example, 
the content of T is equal, to that of T, that is; 
"15:53:12 April 11. 1985" and the above judgement 
is made. ' 



Step 5100: 

The signer 401 notifies that the certifier 426 
hinself/herself is at the certifier electronic transac- 
tion unit 423 and the certifier 426 has dea'ded to 
accept the transaction for the transaction message 
M. The signer 401 depresses the seal accept but- 
ton to prepare his/her electronic seal. 



Step 5110: 

The signer electronic transaction unit 404 en- 
ters (hi, h2) prepared in the step 5030 and P 
prepared in the step 5090 to the certificate data 
preparation circuit 4090 to prepare the tally certif- 
icate data W2. 

W2 = (r, h1.h2) 



Step 5070: 

A tally impression certificate data Wl is pre- 
pared by a certificate data preparation circuit 418 
from the ID T and the high order data hi derived 
from the encoded data H(M> by a divider 419, 

Wl = (T. hi) 



Step 5120: 

50 

The tally impression certificate data W2 is de- 
coded by the seal/tally impression encoder 412 by 
using the secret key SKg by the predetermined 
public key cryptograph system to prepare D (W2. 
55 SKs), which is sent to the certifier electronic trans- 
action unit 423. 
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Step 5130: 

The certifier electronic transaction unit 423 en- 
codes D (W2, SKs) by the seal/tally impression 
encoder 415 by the signer public key PKg of the 
mefBory 421 to prepare W2". 

W2" » E(D(W2, SKs). PKs) 

The comparator 4160 checks if T" = T and (hi', 
h2") = (hi. h2) when W2" = (T". hi". h2"), and 
informs the result to the certifier 426. 



Step 5140: 

When the certifier 426 confirms that the result 
in the step 5130 is "T" = T and (hi". hZ") = (hi, 
h2)". he/she judges that D (W2, SKg) has been 
prepared by the . signer himself/herself based on 
the transaction message M. and decides to prepare 
and send the electronic seal of the signer. He/she 
depresses the electronic seal prepare/send button 
of the certifier electronic transaction unit 423. 



Step 5150: 

The certifier electronic transaction unit 423 pre- 
pares the seal certificate data W2 by the certificate 
data preparation circuit 418 from (hi. h2) and T 
prepared in the step 5060. ! 



Step 5160: 

The certifier electronic transaction unit 423 de- 
codes W2 by the seal/tally impression encoder 415 
by using the certifier secret key SKr of the IC card 
424 by the public key cryptograph system to pre- 
pare D (W2, SKr). which is sent to the signer 
electronic transaction unit 404. 



Step 5170: 

The signer electronic tnansaction unit 404 en- 
codes D (W2. SK r) by the seaiAally impression 
erwxxter 412 by using the certifier public key PKr 
of the memory 4060 by the public key cryptograph 
system to prepare W". 

W2" = E (D(W2. SKr). PK r) 

If the comparator 411 indicated that T" = T and - 
(hi". h2") = (hi. h2) when W2" = fP. hi", h2"), 



it is judged that D (W2. SKr ) has been prepared 
by the certifier 426 himself/h rself based on the 
transaction messag M. 

5 

Step 5180: 

The certifier electronic transaction unit 404 
records the transaction message M. the electronic 
10 seal O (W2. SK«) of the signer 401 and the elec- 
tronic seal D (W2. SKg) and tally impression D - 
(W2, SKr) of the certifier 426 in the message file 
4020. and terminates the operation. 

75 

Step 5190: 

The signer 401 keeps the message file 4020. 

so 

Step 5200: 

The certifier electronic transaction unit 423 
records the transaction message M. the electronic 
26 seal D (W2. SKg) of the signer 401. and the elec- 
tronic seat D (W2, SKr) and tally impression D - 
(W2. SKr) of the certifier 426 in the message file 
425. and terminates the c^)eration. 



Step 5210: 

The certifier 426 keeps the message file 425. 

35 

Modification 1 of the embodiment 

In the steps 5010 and 5050 of the present 
emtKxJiment a portion of the informatton on the 

40 secret key is recorded in a magnetic card or IC 
card and the rest of the infonmation of the secret 
key Is memorized by the signer or certifier as a 
secret number. When the secret key SKg or SKr is 
to be entered, it is inputted by reading the informa- 

45 tion from the magnetic card or IC card and keying 
the secret numfc>er by the secret key SKgor SKr. 

Modification 2 of the embodiment 

50 

In the step 5010, 5050. 5100 or 5140 of the 
present embodiment, the terminal may confirm the 
person by the voice pattern or fingerprint before 
the signer or certifier enter the information. 
55 In the present modification, the signer or cer- 

tifier cannot escape with the lectronic seal be- 
cause of the tally impression check. If the certifier 
does fKrt send the certifier's electronic seal D (W2. 
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SKr) and denies the transaction after the signer 
has sent the signer's electronic seal D (W2, SK r) 
when the signer and the certffi r electronically 
transact the transaction message M. the signer 
may prove that the certifier attempts to deny thC 
fact of transaction and escape wrth the signer's 
electronic seal by decoding the tally impression by 
the public key PKr of the certifier and checking 
the content thereof. The tally impression D (W1. 
SKr) sent by the certifier to the signer prior to the 
exchange of the electronic seal Includes the high 
order data hi of H(M) = (hi, h2) prepared by 
compressiorvencoding the transaction message M 
sent by the signer. 

W1 = (T. hi) 

It is difficult to prepare the secret key which 
meets 

D(W1.SKr*) » D(W1.SK„) 

by the same reason as the third person cannot 
conduct the transaction as if he/she were the cer- 
tifier. Accordingly, it is only the certifier who has 
the secret key SKr ttiat can prepare the tally im- 
pression which irK:iudes the high order data of the 
compression-encoded message of the transaction 
message M. 

Rg. 1 1 shows other configuration of the system 
of the present invention, and Rg. 12 shows a flow so 
chart of a procedure in a fifth embodiment of the 
present invention in the configuration of Rg. 11. 
Operations of elements In Rg, 11 are explained 
with reference to the flow chart of Rg, 12. 



Step 2010: 

The signer 104 enters the transaction message 
M from the message file 110 to the signer elec- 
tronic transaction unit 111. 



Step 2020: 

The signer electronic transaction unit 111 
sends the input transaction message M to the 
certifier electronic transaction unit 122 by the com- 
munication control unit 107. 



Step 2030: 

The certifier electronic transaction unit 122 re- 
ceives the transaction message M and displays it 65 
on the display 114. 



Step 2040:- 

The certifier 112 confirms the trarisaction mes- 
sage M displayed on the display 114. 



Step 207: 

The certifier electronic transaction unit 122 ed- 
its the input grace period T„ sender/receiver ID. 
time information To generated by the timer 120 and 
information for identifying the content of the trans- 
action message M through the transaction status 
data edit circuit 118 to prepare {produce) the trans- 
action status data W, = (T,. HJ. 



Step 208: 

The certifier electronic transaction unit 122 en- 
codes the transaction status data W, by the 
seal/tally impression encoder 117 by using the 
secret key SKROf the certifier read from the IC card 
113 to prepare (produce) the certifier electronic 
taUy impression N, = E (SKr. W.). which is sent to 
the signer electronic transaction unit 111 by the 
communication control unit 116. 



Step 209: 

Thie signer electronic transaction unit 111 de- 
codes the certifier electronic tally impression Ni by 
the sealftally impression encoder 1060 by using th 
public key PKr of the certifier registered in th 
memory 109 to prepare the transaction status data 
W, = D (PKr, N.). which is displayed on the 
display 1020. 



Step 205: 

The certifier 112 reviews the content of the 
10 transaction message M and accepts to proceed 
with the transaction. 



75 



20 



Step 206: 

The certifier 112 enters the grace period T, of 
the certifier electronic tally impression N, and the 
sender/receiver ID to tiie certifier electronic trans- 
action unit 122 by the keyboard 115. 
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Step 210: 

The signer 1040 confirms the content of the 
transaction status data W, displayed on the display 
1020 to check on the validity thereof.* 



Step 211: 

The signer 1040 accepts to proceed with the 
transaction depending on the result of the validity 
check of the transact'on status data W,.' 



Step 212: 

The signer 1040 enters the grace period T, of 
the signer electronic seal N, and the 
sender/receiver ID to the signer electronic transac- 
tion unit 1 1 1 by the key tx>ard 1 01 0. 



Step 213: 

The signer electronic transaction unit 111 edrts 
the input grace period Ta, sender/receiver ID. time 
information To generated by the timer 108 and 
information for identifying the content of the trans- 
action message M through the transactfon status 
data edit circuit 1050 to prepare the transaction 
status data W, = (Tj, H,). 



Step 214: 

The signer electronic transaction unit ill en- 
codes the transaction status data W, by the seal/ 
tally impression encoder 1060 by using the secret 
key SKs of the signer read from the IC card 1030 
to prepare the signer electronic seal N, = E (SKs, 
W,). which is sent to the certifier eiectrontc transac- 
tion unit 122 by the communication control unit 
107. 



Step 215: 

The certifier electronic transaction unit 122 de- 
codes the signer electronic seal N, of the seaWally 
impression encoder 117 by using the public key 
PKs of the certifier registered in the memory 1 19 to 
prepare the transaction status data W, » D (PKs, 
N,). which is displayed on ttie display 114. 



Step 216: 

The certifier 112 confirms the content of the 
transaction status data W, displayed on the display 
5 1 14 to check the validity thereof. 



Step 217: 

10 The certifier 112 accepts to proceed with the 
transaction depending on the result of the validity 
check of the transaction status data W,. 



75 Step 218: 

The certifier 112 enters the grace period T, of 
the certifier electronic seal N, and the 
sender/receiver ID to the certifier electronic trans- 
20 action unit 122 by the keyboard 115. 

Step 219: 

25 The certifier electronic transaction unit 122 ed- 

its the input grace period T„ sender/receiver ID, 
time information T, generated by the timer 120 and 
information for kientifying the content of tiie trans- 
action ntessage M through the transaction status 

30 data edit circuit 118 to prepare the transaction 
status data W, « (T,. HJ. 



Step 220: 

The certifier electronic transaction unit 122 er>- 
codes the transaction status data W, by the 
seai/laJly impressk)n encoder 117 by using ttte 
secret key SK r of the certifier read from the IC 
40 card 113 to prepare the certifier electronic seal N, 
- E (SKr. W,), whfch is sent to the signer elec- 
tronic transaction unit 111 by the communication 
control unit 116. 

46 

Step 221: 

The certifier electronic transaction unit 122 
keeps the transaction message M and the elec- 
50 tronic seals N, and N, of both parties in the mes- 
sage file 121. 
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Step 222: 

The dgner electronic transaction untt 111 de- 
codes the certtfler etectronic seal N, by the 
seal/tally impression encoder 1060 by using the 
public key PKr of the oertifter registered tn the 
memory 109 to prepare the transaction status data 
W, « D (PKr, which is displayed on the 
display 1020. 



Step 223: 

The signer 1040 confirms the content of tfie 
transaction status data W, displayed on the display 
1020 to check the validity thereof. 

Step 224: 

The signer 1040 accepts to proceed with the 
transaction depending on the result of the validtty 
check of the transaction status data W,. 



Step 225: 

The signer electronic transaction unit 111 
keeps the transaction message M and electronic 
seals Nz and Ns of both parties in the message file 
110. 

In the steps 211. 217 and 224 of the present 
embodiment the grace period Information Indicat- 
ing the period for permitting interruption of the 
transaction is included in the electronic seal and 
tally impression. If the party who receh/ed the 
electronic seal or tally tmpressk>n lodges an op- 
position- against the received electronic seal or tally 
impression within the grace period, he/she Is en- 
sured to Invalidate the electronic seal or tally im-. 
pression he/she already Issued by reporting the 
termination of the transaction to the put^llc or- 
ganization by the third party. Thus, a dispute dur- 
ing and after the transaction can be prevented. 

If the party who sent the electronic seal or tally 
impression wishes to terminate the transaction be- 
cause something wrong was found later, the trans- 
action can be tenmrnated by reporting it to the 
public organization within the designated grace pe- 
riod. Thus, a wrong transaction Is prevented. 

The grace period may be sent to any period t>y 
the sender of tfie electronic seal and tally impres- 
sion while taking the time necessary for the re- 
ceiver to confirm the content into consideration. 
Thus, even if there Is a difference between the 
processing speeds of the apparatus for preparing 
and checking the electronic seals and tally impres- 
sion of both parties, the system can be flexibly 



operated. Thus, the safety of the transaction is 
assured wh re th apparatus having different per- 
formances such as a personal computer and a 
large scale computer. 
6 In accordance with the present invention, un- 

authorized act by not only the parties but also the 
third person is^ prevented and a highly reHabte 
electronic transaction system is attained. 

Ctabns 

1. An electronic transaction system for elec- 
tronically transacting between first and second tran- 
75 sacting party units (404, 407) by replacing a docu- 
ment with a computer message comprising: 

an intermediation unit (406) intervening between 
said first and second transacting party units and 
20 inckjding means for publicly displaying data; 

display means in saki Intermediation unit for dis- 
playing a first decoded message derived by decod- 
ing a certificate data by the first transacting party 
25 by using a secret key of the ficstiransacting party, 
and a second decoded message derived by decod- 
ing said certificate data by the second transacting 
party by using a secret key of the second transac- 
Ur)g party; and 

30 

means for alk>wing to determine whether the tran- 
sacting parties are said first and second transacting 
parties who have their own secret keys, by a party 
having a public key of the parties in response to 

35 display data on said cflsplay means of the inter- 
mediation unit based on the fact that a first en- 
coded message derived by encoding the first de- 
coded message by using the public key of the first 
transacting party coinddes with a second encoded 

40 message derived by wicodlng the second decoded 
message by using the public key of the second 
transacting party. 

2. An electronic transaction system according 
to Claim 1 wherein said intenmediation unit Includes. 

45 said means for publicly displaying data as well as a 
third secret key arrd data recording means, stores 
therein said first and second decoded messages, 
receives transaction data each time the firet or 
second transacting party sends the tfansaction 

50 data, data-compression-encodes a data prepared 
by anranging the first or second decoded message 
and the transaction data by using the third secret 
key, records and pubflcly displays the encoded 
result, data-compression-encodes the original com- 

55 munication message which the first or second tran- 
sacting party possesses by using the third secret 
key based on th fact that any chang of the 
original data affects to the result of the data com- 
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presston encoding, comparas the encoded result 
witb the recorded data-comprevston-ertcoded resuft 
to certify the content of the transaction data. 

3. An electronic transaction system according 

to Claim 1 wherein the transactioo is effective on*y s 
when the transacting party has communicated with 
the other transactfng party at least once and both 
transacting parties have used their own secret keys 
at least once. 

4, An electronic transaction systm f6r eiec- to 
tronically transacting by replacing a document witti 

a computer message, comprising: 

means for exchanging between a first transacting 
party and a second transacting party a first de- re 
coded message derived by decoding a certificate 
data by a first transacting party by a public key 
cryptograph system by usirig a secret key of the 
first transacting party and a second decoded mes- 
sage derived by decoding said certificate data by a 20 
second transacting party by using a secret key of 
the second transacting party and keeping said first 
and secorxj decoded messages; 

means for encoding the first decoded message by as 
usJfig the pubOc key of the first transacting party by 
a third party having tiro public keys of ttie first and 
second transacting parties and encoding the sec- 
ond decoded message by using the public key of 
the second transacting party by ttie third party 30 
when one of the first and second transacting par- 
ties provkte the first or second decoded message 
to the third party; and 

means for comparing the encoded results to deter- 35 
mine wf>ettier ttie transacting parties are ttie f!rst 
and second transacting parties having the secret 
keys based on ttie fact tttat the first enccxJed 
message derived by encoding the public key of the 
dirst transacting party and the second encoded 4o 
message derived by encoding the secortd decoded 
message by using ttie public key of the second 
transacting party are equal. 

5. An etectronic transaction system according 
to Claim 1 wherein ttie certificate data includes a -cs 
third encoded message derived by encoding a 
predetermir>ed first data message by a predeter- 
mined ttiird cryptograph system by using the trans- 
action message in ttie transaction as a cryptograph 
key and a second data message of a predeter- so 
mined fonmat said tftird cryptograph system has 
such a characteristic ttiat It is difficult to find a 
cryptograph key other than the first transaction 
message which results in an encoded result of ttie 
-ttiird encoded message for ttie given first data 55 
nnessage. one of the first and second transacting 
parties provides tti first arvj second decoded mes- 
sages t a third party who has the public keys of 



the first and second transactirtg parties and knows 
a ttiird cryptograph system, as well as the transac- 
tion message so ttuit ttie tiiird party encodes ttie 
first decoded message by using the public key of 
the first transacting party and encodes the second 
decoded message by using the publk: key of the 
siacond transacting party, It is determine tfiat ttw 
encoded result matches with the originat certificate 
data if both encoded results are equal, and ft Is 
determined ttmt ttie transaction message matches 
with the originaify prepared transaction message if 
ttie result der^ed t>y encoding ttie first data mes- 
sage by ttie ttiird encoding system by using ttie 
transaction message as the crypto^aph key, 

6. A electronic transaction system according to 
Claim 1 wherein when ttie first and second de- 
coded messages are exchanged between ttie first 
and second decoded messages, said intermedia- 
tion unit includes a storage, and the first and sec- 
ond decoded messages are exchanged between 
the transacting parties through the intermediation 
unit and ttie intermediation untt stores ttie first and 
second decoded messages until both parties re- 
ceive ttie decoded message of ttie ottier, check ttie 
contents thereof and second signals to the inter- 
mediation unft. 

7. An electronk: transaction system according 
to Claim 5 wherein ttie second data m^sago In- 
cluded in ttie certificate data includes infomiation 
representing an effective period of an electronk: 
seal in ttie transaction, ttie ttiird encoding system 
has such a characteristic that H is very rare in 
probability ttiat ttie same encoded result Is ob- 
tained when different certificate data are given, and 
when one of the parties received a false decoded 
message or does not receive ttie decoded mes- 
sage from ttie ottier party within ttie effective pe- 
riod after he/she has sent the decoded message, 
he^fie declares the termination of transaction to ari 
auttientication organization so ttiat the invatidatkxi 
of ttie decoded message he/she sent is assured by 
the authentication organization. 

a An electronic transaction system for elec- 
tronically transacting by replacing a document witti 
electric infonmation, characterized in that certfTK^te 
data each including data representing ttie accep- 
tance of a transaction message derived by modify- 
ing information representing transaction status for 
each transacting party and data representing a 
grace period for permitting opposition to ttie tr»is- 
action are exchanged to proceed with tiie transac- 
tion. 

9. An etectronic transaction system according 
to Claim 8 wtierein ttie modification of the ttansao- 
tion status information is made by an asymmetric 
»<ey cryptograph system, on of ttie asymmetric 
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key ts secret, and irtfbrmatian encoded by using 
the secret key is decoded by the other key. to 
identify and certify the transacting party. 

10. An efectrojnic transaction system according 

to CEaim 8 wherein said grace period is determined 5 
by taking a time required to prepare and check the 
certificate data inherent to the transacting party into 
constderatton, arid invalidation of the certificate 
data issued by the transacting party is assured by 
an authentication organization by declaring tiie ter- ro 
minatton of the transaction to the authentication 
organization within the grace perkxi when the tran- 
sacting party has an opposition to the certificate 
data of the other transacting party. 

11. An electronic transaction system for elec- 15 
tronicalJy transacting by repiactng a document vdth 
electric information, comprising: 

means for predetermining a first certificate data 
preparation method for preparing certificate data 20 
Indicating that a transaction message has been 
informally accepted, and a second certificate data 
preparation method different from said first certif- 
icate data preparatiori method for preparing certif- 
icate data Indicating that the transaction message 2s 
has been formally accepted; 

means for providing a first certificate data for the 
transaction message by tiie first certificate data 
preparation method by a first transacting party, and so 
sending it to a second transacting party; 

means for providing a second certificate data for 
the transaction message by the second certificate 
data preparation mettiod by a secorKi transacting ss 
' party after the reception of tiie first certificate data 
from the first trsisacting party; and 

means for providing a third certificate data for the 
transaction message by the second certificate data 4o 
preparation mettwd by the first transacting party 
after the reception of the second certificate data 
from the second transacting party to proceed with 
the transaction. 

12, An electronic transaction system according 45 
to Claim 11 whefein said first certificate data prep- 
aration method uses a predetermined public key 
cryptograph system, encodes first transaction sta- 
tus data representing tansaction status by a secret 

key to prepare the certificate data, and said second so 
certificate data preparation meti>od uses a pre- 
determined public key cryptograph system and en- 
codes second transaction status data different from 
said first transaction status data by a secret key to • 
prepare tiie certificate data. 55 

13. An electronic transaction system according 
to Claim 11 wherein said first transaction status 
data includes a first compression-encoded mes- 



sage derived by compression-encoding the trans- 
action message by a first compres^on encoding 
method, and said second transaction data includes 
a second compression-encoded message derived 
by compression-encoding the transaction message 
by a second compression encoding mettiod otiier 
than the first compression encoding method. 

14. An electronic transaction metiiod for eiec- 
tronically transacting between first and second tran- 
sacting party units by replacing a deocument witii 
a computer message comprising tiie steps of: 

providing an intermediation unit intervening fc>e- 
tween said first and second transacting party units 
and including means for publicly displaying data; 

displaying on said intermediation unit for a first 
decoded message derived by decoding a certif- 
icate data by the first transacting party by using a 
secret key of the first transacting party, and a 
second decoded message derived fay decoding 
said certificate data by the second transacting par- 
ty by using a secret key of the second transacting 
party; and 

determining whether the transacting parties are 
said first and second transacting parties who have 
tfieir own secret keys, by a tttlrd party having a 
pubOc key of ttie parties by ref^ng to the display 
on said intermediation unit t>ased on the fact that a 
first endoded message derived by encoding tiie 
first decoded message by using tiie publk: key of 
the first transacting party and a second encoded 
message derived by encoding tiie second decoded 
message by using the public key of tiie second 
transacting party are ec^. 

15. An electronic transaction metiiod for elec- 
tronically transacting by replacing a document witii 
a computer message, comprising the steps of: 

exchanging t>etween a first transacting party and a 
second transacting party a first decoded message 
derived by decoding a certificate data by a first 
transacting party by a pubOc key cryptograph sys- 
tem by using a secret key of ttie first transacting 
party and a second decoded message derived by 
decoding said certificate data by a second transac- 
ting party by using a secret key of tiie second 
twisacting party and keeping said first and second 
decoded messages; 

encoding tiie first decoded message t>y using the 
public key of tiie first transacting party by a tfiird 
party having tiie public keys of ttie first and second 
transacting parties and encoding the second de- 
coded message by using tiie public key of ttie 
second transacting party by the third party when 
one of the first and second transacting parties 
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provides the first or second decoded message to 
the third party; and 

comparing the encoded results to detenmine vyheth- 
er the transacting parties are the first and second 5 
transacting parties having the secret keys based on 
the fact that the first encoded message derived by 
encoding the public key of the first transacting 
party and the second encoded message derived by 
encoding tfw second decoded message by using lo 
the public key of the second transacting party are 
equal. 

16. An electronic transaction method for elec- 
tronically transacting by replacing a document with 
electric information, comprising the steps of. 75 

predetenmining a first certificate data production - 
scheme for producing certificate data indicating 
that a transaction message has been informally 
accepted, and a second certificate data production 20 
scheme different from said first certificate data 



production scheme for producing certificate data 
indicating that the transaction m ssage has been 
formally accepted; 

providing a first certificate data for the transaction 
message by the first certificate data production - 
scheme by a first transacting party, and sending it 
to a second transacting party; 

providing a second certificate data for the transac- 
tion message by tiie second certificate data pro- 
duction scheme by a second transacting party after 
the reception of the first certificate data from the 
first transacting party; and 

providing a third certificate data for the transaction 
message by the second certificate data production 
scheme by the first transacting party after the 
reception of the second certificate data ft-om the 
second transacting party to proceed wttti the trans- 
action. 
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